Tenable.io Executor¶
Category: Network and Vulnerability Scanners
Script: tenableio.py
Integration: pyTenable SDK (tenable.io)
Faraday Plugin: NessusPlugin
Website: https://www.tenable.com/products/tenable-io
Description¶
Connects to the Tenable.io cloud platform via the pyTenable Python SDK to create, launch, or re-run vulnerability scans. Supports both built-in Tenable templates and user-defined scan policies. Exports results in Nessus format and parses them into Faraday.
Prerequisites¶
- Tenable.io account with API access
- API access key and secret key (generated in Tenable.io > Settings > My Account > API Keys)
- Python package:
tenable
Configuration¶
Environment Variables (Setup)¶
| Variable | Required | Description |
|---|---|---|
TENABLE_ACCESS_KEY |
Yes | Tenable.io API access key |
TENABLE_SECRET_KEY |
Yes | Tenable.io API secret key |
TENABLE_PULL_INTERVAL |
No | Polling interval in seconds (default: 30) |
Execution Arguments¶
| Parameter | Type | Mandatory | Description |
|---|---|---|---|
SCAN_NAME |
string | No | Scan display name (default: "faraday-scan") |
SCAN_ID |
string | No | Existing scan ID to relaunch or export results from |
SCAN_TARGETS |
list | Conditional | JSON array of target IPs or domains. Required for new scans with user-defined templates |
TEMPLATE_NAME |
string | No | Built-in template name (default: "agent_basic") |
RELAUNCH_SCAN |
boolean | No | If true, relaunches the scan specified by SCAN_ID (default: false) |
USE_USER_DEFINED_TEMPLATE |
boolean | No | If true, uses a user-defined policy template instead of built-in (default: false) |
AGENT_GROUP_NAME |
string | Conditional | Agent group name (required for agent-based scans) |
YAML Configuration Example¶
executors:
tenableio_scan:
repo_executor: tenableio.py
max_size: 65536
varenvs:
TENABLE_ACCESS_KEY: "${TENABLE_ACCESS_KEY}"
TENABLE_SECRET_KEY: "${TENABLE_SECRET_KEY}"
TENABLE_PULL_INTERVAL: "30"
params:
SCAN_NAME:
mandatory: false
type: string
base: string
SCAN_TARGETS:
mandatory: false
type: list
base: list
TEMPLATE_NAME:
mandatory: false
type: string
base: string
Use Cases¶
1. Create a New Scan with a Built-in Template¶
Set TEMPLATE_NAME to one of Tenable's 50+ built-in templates and provide SCAN_TARGETS:
| Template Name | Description |
|---|---|
agent_basic |
Basic agent scan (default) |
agent_advanced |
Advanced agent scan |
basic |
Basic network scan |
advanced |
Advanced network scan |
webapp |
Web application tests |
pci |
PCI quarterly external scan |
log4shell |
Log4Shell detection |
discovery |
Host discovery |
malware |
Malware scan |
2. Create a Scan with a User-Defined Template¶
Set USE_USER_DEFINED_TEMPLATE to true, provide TEMPLATE_NAME (the user-defined policy name), and SCAN_TARGETS.
3. Relaunch an Existing Scan¶
Set SCAN_ID to the existing scan ID and RELAUNCH_SCAN to true. The executor will relaunch the scan and wait for completion.
4. Export Results from a Completed Scan¶
Set SCAN_ID to the scan ID. Without RELAUNCH_SCAN, the executor exports the most recent results.
How It Works¶
- Authenticates with Tenable.io using the access/secret key pair
- Based on parameters, either creates a new scan, relaunches an existing one, or fetches results
- Polls the scan status at the configured interval until completion
- Exports results in Nessus format (
.nessus) - Parses the export through
NessusPluginand outputs Faraday JSON
Notes¶
- API keys are generated per-user in Tenable.io under Settings > My Account > API Keys
- The
agent_basicandagent_advancedtemplates require Tenable Nessus Agents installed on targets - When using
RELAUNCH_SCAN, the executor waits for the new scan to complete before exporting